https://www.cbronline.com/wp-content/uploads/2020/05/kevin-hackert-QAhSBj237_w-unsplash.jpg

Gov’t Launches Test and Trace – But There’s Still No App

Personal data to be held for 20 years

The government today announced the May 28 launch of its test and trace service: a long 90 days and 37,460 deaths after the first coronavirus case was recorded in the UK on January 29, 2020.

Despite the launch, it admitted that that the NHS Test and Trace application itself would not be available for weeks.

This has been held up as the National Cyber Security Centre (NCSC) scrambles to patch security bugs in the application, which takes a heavily centralised approach to contact tracing.

The NHS Test and Trace app is “is due to be launched in the coming weeks once contact tracing is up and running” the government said today.

It did not specify a more concrete date.

A privacy policy for the app meanwhile published in March notes that “personal [sic] identifiable information collected by the NHS Test and Trace on people with coronavirus or who have symptoms will be kept for 20 years.”

This will include

Personal information on the contacts of people with coronavirus, will be kept for five years, the notice says.

An independent security review of the application recognised the “well-designed protections against many of the attacks that threaten a contact tracing scheme” But it also highlighted that “data stored on device is not encrypted, beyond the inherent BroadcastValue encryption. This allows anyone with access to a device to utilise the data for surveillance.”

Test and Trace App: “Encryption of the proximity logs just couldn’t be done in time”

The NCSC’s Dr Ian Levy noted on May 19 that “the beta version of the app doesn’t encrypt the proximity contact event data on the phone, and we don’t independently encrypt it before sending to the server. So when it’s transferred to the back end, it’s protected only by TLS.

He added: “The NHS team absolutely understand that data has value and needs to be protected properly, but encryption of the proximity logs just couldn’t be done in time for the beta. This will be fixed.”

He did not give a timeline for the fix.

So, Without An Application, Test and Trace is…

The test and trace strategy announced today will have four pillars:

NHS Test and Trace will have 25,000 dedicated contact tracing staff working with Public Health England. They will be able to trace up to 10,000 contacts of those confirmed infected every day and notify them.

The Executive Chair of NHS Test and Trace, is Dido Harding, who was CEO of Talk Talk in 2015 when it was hacked and the details of 156,959 customers was stolen. (The incident cost it £60 million and lost it 95,000 customers).

Baroness Harding became Chair of NHS Improvement in 2017.

She is married to Conservative MP John Penrose and sits in the House of Lords as a Conservative peer.

She said today: “This is a brand new service which has been launched at incredible speed and scale.

“NHS Test and Trace already employs over 40,000 people, both directly and through trusted partners, who are working hard to deliver both testing and contact tracing at scale.”